feat(auth): migrate JWT storage from localStorage to httpOnly cookies

Eliminates XSS token theft risk by storing session JWTs in an httpOnly
cookie (trek_session) instead of localStorage, making them inaccessible
to JavaScript entirely.

- Add cookie-parser middleware and setAuthCookie/clearAuthCookie helpers
- Set trek_session cookie on login, register, demo-login, MFA verify, OIDC exchange
- Auth middleware reads cookie first, falls back to Authorization: Bearer (MCP unchanged)
- Add POST /api/auth/logout to clear the cookie server-side
- Remove all localStorage auth_token reads/writes from client
- Axios uses withCredentials; raw fetch calls use credentials: include
- WebSocket ws-token exchange uses credentials: include (no JWT param)
- authStore initialises isLoading: true so ProtectedRoute waits for /api/auth/me

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/routes/oidc.ts

@@ -6,6 +6,7 @@ import { db } from '../db/database';
 import { JWT_SECRET } from '../config';
 import { User } from '../types';
 import { decrypt_api_key } from '../services/apiKeyCrypto';
+import { setAuthCookie } from '../services/cookie';
 
 interface OidcDiscoveryDoc {
   authorization_endpoint: string;
@@ -289,6 +290,7 @@ router.get('/exchange', (req: Request, res: Response) => {
   if (!entry) return res.status(400).json({ error: 'Invalid or expired code' });
   authCodes.delete(code);
   if (Date.now() - entry.created > AUTH_CODE_TTL) return res.status(400).json({ error: 'Code expired' });
+  setAuthCookie(res, entry.token);
   res.json({ token: entry.token });
 });